ekoparty Security Conference 10° edición

Juliano Rizzo(Security consultant and researcher)

Padding oracles everywhere

The first part of the presentation introduces the audience to Padding
Oracle Attacks, the cryptographic concepts of the vulnerability, and
finally how to exploit it.
We also describe the algorithms implemented in POET (Padding Oracle
Exploit Tool). POET is the free tool that we released a few months ago
which can automatically find and exploit Padding Oracle
vulnerabilities in web applications.

The second part presents a previously unknown advanced attack. The
most significant new discovery is an universal Padding Oracle
affecting every ASP.NET web application. In short, you can decrypt
cookies, view states, form authentication tickets, membership
password, user data, and anything else encrypted using the framework's
API!

Finally we demonstrate the attacks against real world applications.
We use the Padding Oracle attack to decrypt data and use CBC-R to
encrypt our modifications. Then we abuse components present in every
ASP.NET installation to forge authentication tickets and access
applications with administration rights. The vulnerabilities exploited
affect the framework used by 25% of the Internet websites.The impact
of the attack depends on the applications installed on the server,
from information disclosure to total system compromise.

Sobre Jualiano Rizzo

Juliano Rizzo has been involved in computer security since 1996. For
more than a decade he has been working on vulnerability research,
reverse engineering and development of high quality exploits. As a
researcher he has published various security advisories, papers
and proof of concept tools. He is one of the founders and designers of
Netifera, an open source platform for network security tools. He
worked as a security consultant and exploit developer for Core
Security Technologies (2000-2006).